How To Prevent Financial Loss Through Email Protection
Sponsored Report
Several organisations and public institutions are faced with challenges of their corporation email been compromised. This to a large extent has brought loss of businesses or embarrassment. Those who have not been able to manage the situation successfully are those whose knowledge and technology partnership need to be upgraded.
In the technology parlance, the Business e-mail compromise (BEC) is when an attacker hacks into a corporate e-mail account and impersonates the real owner to defraud the company.
BEC is also known as a “man-in-the-email” attack. This is derived from the “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.
A BEC scam starts with research. An attacker would sift through publicly available information about your company from your website, press releases, and even social media posts. He/she might look for the names and official titles of company executives, your corporate hierarchy, and even travel plans from email auto-replies.
The attacker would then try to gain access to an executive’s e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the executive will not be alerted.
Another trick is to create an e-mail with a spoofed domain. For example, the attacker might use mohammed.adeyemi@samp1e.com instead of mohammed.adeyemi@sample.com, or emeka.damola@believeme.com instead of emeka.damola@beleiveme.com. If you do not pay close attention, it is easy to get fooled by these slight differences. One of the most famous spoofed domain tricks ever was the “PayPa1.com” – a scam site imitating money transfer website Paypal.com.
After scouting corporate communications for some time, the attacker will probably have a good idea of scam scenarios that might work. For instance, if the company has a lot of suppliers, he/she can send invoices to account for the rush payment of materials. The attacker would know who is responsible for wire transfers and be able to craft a convincing scenario that would require the immediate transfer of funds.
Some examples of BEC scams include:
The fraudulent invoice scam is when a cybercriminal uses an employee’s e-mail to send notifications to customers and suppliers asking for payment to the cybercriminal’s account.
The fake boss scam is when a fraudulent email is sent from a business executive’s account to employees instructing them to urgently transfer money from the corporate account to the criminal’s account.
The fake attorney scam is when a lawyer’s e-mail address is used to contact clients, asking that they pay money immediately to keep things confidential.
However, business e-mail compromise attacks do not only involve money; sometimes, attackers seek trade secrets.
One high-profile BEC case involved a Lithuanian cybercriminal that used the e-mail addresses of suppliers. Companies that were targeted include Apple and Facebook. By impersonating suppliers, the hacker was able to steal $100 million in two years. In another case, the FACC Ag CEO was fired after such an attack cost the company $54 million.
In 2016, there were at least 40,000 incidents of business e-mail compromise or other incidents that involve e-mails,an increase of around 2,370 per cent since January 2015. In the second half of 2016 alone, the FBI reported more than 3,044 victims in the United States, with a combined loss of around $346 million. Where does most of the money go?
Most of the victims are told to send the money to an Asian bank, usually in Hong Kong or China, or a bank in the United Kingdom.
Although, e-mail compromise attacks are successful for three reasons:Insufficient security protocols, social engineering and lack of employee awareness.
Multi-factor authentication should be implemented as an IT security policy. This will help prevent unauthorized access to e-mails, especially if an attacker attempts to login from a new location. In addition to stronger security protocols, employee education is also important. Employees should be trained on identifying fraudulent e-mails. Always be skeptical of urgent and rush money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person.
According to Signal Alliance Technical Security Consultant,Victor Ugwu, the company offers a robust and adaptive email security solution on- premise and in the cloud. Beyond email security, they also provide a tested and trusted Cybersecurity solutions ranging from; perimeter security, infrastructure security, cloud, mobile security and managed security service.